Cloudbleed a Massive Oops, Not an Attack

Mar. 6, 2017  |  By Holly Dragoo & Joel Odom

Cloudflare, a domain name service and content delivery network (CDN) provider, announced in mid-February that data had been leaking from customer websites hosted on their servers. A vulnerability similar to the Heartbleed browser bug (revealed in 2014) caused HTTP requests to return random chunks of customer data from reverse proxies since September 2016, inspiring the nickname “Cloudbleed.” Due to the distributed nature and randomized selection of the data leaked, there’s no certainty of exactly which customers were affected, though it’s estimated over 5 million websites could be at risk. The investigation is ongoing, but it appears to only be a bug and not malware designed to exploit the vulnerability.

IISP Analyst Holly Dragoo: “What Cloudbleed means, hypothetically speaking, is if I were accessing my banking website and you were accessing your local news site, the potential for you to accidentally see my banking login information or financial data (among your requested data) exists. (Yikes!!!) So far there has been no known personal health, financial or identification data, passwords or encryption key disclosure. Due to the severity of the vulnerability, however, it’s not safe to assume all is ok, especially since some of the leaked data has been cached by search engines, making leaked data potentially retrievable. Change your passwords for everything.”




IISP Analyst Joel Odom: “The Cloudflare problem interests me because it makes a good example of how multiple minor issues can cause a major security failure. According to Cloudflare’s excellent explanation of the problem, they are using the Ragel state machine compiler in their development process. The Ragel compiler uses an equality check (==) to detect the end of a buffer, but Cloudflare was misusing Ragel in such a way that the buffer position pointer skipped the memory bound tested by the equality check. If Ragel had used an inequality check (>=) to detect the unexpected possibility of reading past the end of the buffer, the bounds test would have been safer, preventing the data leak. If Cloudflare had not made a mistake in their use of Ragel, the equality check would have worked, preventing the data leak. If Cloudflare had used separate memory for different proxied connections, the leaked data would have been inconsequential. When we write software, we should try to employ security best practices, even if they are minor, because we never know which one will stop a failure chain.  Kudos to Cloudflare for publishing an excellent incident report.”

For further reading


More by the author(s)